Microprocessor with secure execution mode and store key instructions

ABSTRACT

A microprocessor conditionally grants a request to switch from a normal execution mode in which encrypted instructions cannot be executed, into a secure execution mode (SEM). Thereafter, the microprocessor executes a plurality of instructions, including a store-key instruction to write a set of one or more cryptographic key values into a secure memory of the microprocessor. After fetching an encrypted program from an instruction cache, the microprocessor decrypts the encrypted program into plaintext instructions using decryption logic within the microprocessor&#39;s instruction-processing pipeline.

CROSS REFERENCE TO RELATED APPLICATION(S)

This application is a continuation-in-part of U.S. Non-Provisionalapplication Ser. No. 14/066,350, filed Oct. 29, 2013, which is adivisional of U.S. Non-Provisional application Ser. No. 13/091,641,filed Apr. 21, 2011, which application claims priority based on U.S.Provisional Application, Ser. No. 61/348,127, filed May 25, 2010,entitled MICROPROCESSOR THAT FETCHES AND DECRYPTS ENCRYPTED INSTRUCTIONSIN SAME TIME AS PLAIN TEXT INSTRUCTIONS, each of which is herebyincorporated by reference in its entirety.

This application is related to the following co-pending U.S. PatentApplications, each of which is incorporated by reference herein for allpurposes.

Ser. No. Filing Date Title 13/091,487 Apr. 21, 2011 MICROPROCESSOR THATFETCHES AND DECRYPTS ENCRYPTED INSTRUCTIONS IN SAME TIME AS PLAIN TEXTINSTRUCTIONS 13/091,547 Apr. 21, 2011 SWITCH KEY INSTRUCTION IN AMICROPROCESSOR THAT FETCHES AND DECRYPTS ENCRYPTED INSTRUCTIONS13/091,698 Apr. 21, 2011 MICROPROCESSOR THAT FACILITATES TASK SWITCHINGBETWEEN ENCRYPTED AND UNENCRYPTED PROGRAMS 13/091,785 Apr. 21, 2011MICROPROCESSOR THAT FACILITATES TASK SWITCHING BETWEEN MULTIPLEENCRYPTED PROGRAMS HAVING DIFFERENT ASSOCIATED DECRYPTION KEY VALUES13/091,828 Apr. 21, 2011 BRANCH TARGET ADDRESS CACHE FOR PREDICTINGINSTRUCTION DECRYPTION KEYS IN A MICROPROCESSOR THAT FETCHES ANDDECRYPTS ENCRYPTED INSTRUCTIONS

FIELD OF THE INVENTION

The present invention relates in general to the field ofmicroprocessors, and particularly to increasing the security of programsexecuting thereon.

BACKGROUND OF THE INVENTION

It is well known that many software programs are vulnerable to attacksthat breach the security of a computer system. For example, an attackermay attempt to exploit a buffer overflow vulnerability of a runningprogram to inject code and cause a transfer of control to the injectedcode, in which case the injected code has the privileges of the attackedprogram. One attempt to preventing attacks on software programs isbroadly referred to as instruction set randomization. Broadly speaking,instruction set randomization involves encrypting the program in somefashion and then decrypting it within the processor after the processorfetches the program from memory. In this way, the attacker's task ofinjecting instructions is made more difficult because the injectedinstructions must be properly encrypted (e.g., using the same encryptionkey and algorithm as the program under attack) in order to correctlyexecute. See for example, Counter Code-Injection Attacks withInstruction-Set Randomization, by Gaurav S. Kc, Angelos D. Keromytis,and Vassilis Prevelakis, CCS '03, Oct. 27-30, 2003, Washington, D.C.,USA, ACM 1-58113-738-9/03/0010, which describes a modified version ofthe bochs-x86 Pentium emulator. Others have pointed out deficiencies ofthe approach. See for example, Where's the FEEB? The Effectiveness ofInstruction Set Randomization, by Ana Nora Sovarel, David Evans, andNathanael Paul, http://www.cs.virginia.edu/feeb.

BRIEF SUMMARY OF INVENTION

In one characterization of the invention, a method is provided forsecurely executing encrypted instructions within a microprocessor. Priorto decrypting any encrypted instructions, the microprocessor receives arequest (for example, in the form of an instruction) to switch from anormal execution mode in which encrypted instructions cannot beexecuted, into a secure execution mode (SEM), in which they can. Themicroprocessor conditionally grants the request. The condition mayitself be in the form of some cryptographic authentication. For example,in one implementation, the microprocessor is configured to execute aninstruction to write cryptographic key values to the secure memory usingan immediate data field of the instruction.

Subsequently, the microprocessor receives an instruction to write a setof cryptographic key values, to be used to decrypt an encrypted program,into a secure memory of the microprocessor. This is distinguished fromany instruction that may have been used to request the switch fromnormal execution mode into secure execution mode.

Thereafter, the microprocessor fetches an encrypted program from aninstruction cache and decrypts the encrypted program into plaintextinstructions using one or more sets of one or more cryptographic keyvalues stored in the secure memory, or one or more derivatives thereof,to decrypt the encrypted program.

As encrypted program instructions are decrypted into plaintextinstructions, the microprocessor executes them without exposing theplaintext instructions to any non-privileged program or to any resourcesexternal to the microprocessor.

In one aspect, the secure memory into which the cryptographic key valuesare stored is inaccessible from a processor bus of the microprocessorand is not part of a cache memory hierarchy. Also, a non-privilegedprogram is unable to read or write cryptographic key values from or tothe secure memory.

In another characterization of the invention, a microprocessor isprovided comprising an instruction-processing pipeline, a processor bus,a cache memory hierarchy, and a secure memory for storing cryptographickeys.

The microprocessor is configured to receive a request to switch from anormal execution mode in which encrypted instructions cannot beexecuted, into a secure execution mode (SEM), in which they can;conditionally grant the request; execute an instruction to write a setof one or more cryptographic key values into a secure memory of themicroprocessor; and fetch an encrypted program from an instructioncache. The microprocessor is also configured to decrypt the encryptedprogram into plaintext instructions using decryption logic within theinstruction-processing pipeline. The decryption logic uses cryptographickey values stored in the secure memory, or one or more derivativesthereof, to decrypt the encrypted program.

In one aspect, the microprocessor is configured to execute the programwithout exposing the plaintext instructions to any non-privilegedprogram or to any resources external to the microprocessor. In anotheraspect, the secure memory is inaccessible via the processor bus and notpart of the cache memory hierarchy. Relatedly, the microprocessorrestricts access to the secure memory by preventing a non-privilegedprogram from reading or writing cryptographic key values to or from thesecure memory.

In another aspect, the microprocessor is configured to decryptsuccessive sections of the encrypted program using sets of one or morecryptographic key values, or derivatives thereof, that are selected fromthe secure memory according to addresses at which the successivesections of the encrypted program are stored.

In another aspect, the microprocessor is configured to conditiongranting the request to switch into SEM on the basis of whether therequest is in the form of an instruction carrying an encryptedparameter, the instruction is part of a privileged program or process,and the encrypted parameter, when decrypted, meets a predeterminedcriteria for running the encrypted program. In one implementation, theencrypted parameter and encrypted program are encrypted using distinctcryptographic mechanisms.

In another aspect, successive sections of the encrypted program areencrypted according to addresses at which the successive sections of theencrypted program are stored.

In other aspects, the microprocessor comprises SEM exception handlinglogic and SEM interrupt handling logic that are inaccessible to programsrunning in normal execution mode, and the microprocessor is configuredto use the SEM exception handling logic and SEM interrupt handling logicwhen operating in the SEM. Moreover, the microprocessor preventsdecryption of encrypted instructions unless the microprocessor is in theSEM.

In another aspect, the secure memory is configured to receivecryptographic key values through an encrypted channel. And in anotheraspect, the microprocessor is configured to prevent decryption ofencrypted instructions unless the microprocessor is operating in thesystem management mode of the x86 architecture.

The ways in which the invention can be characterized, or might beclaimed, are numerous and not limited to the ones described above.Alternative characterizations of the invention may include merely asubset of the elements described in this summary, or a subset incombination with other elements not mentioned here. The actual scope ofthe claims is set forth within the language of the claims.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram illustrating a microprocessor according to thepresent invention.

FIG. 2 is a block diagram illustrating in more detail the fetch unit ofFIG. 1.

FIG. 3 is a flowchart illustrating operation of the fetch unit of FIG. 2according to the present invention.

FIG. 4 is a block diagram illustrating the fields of the EFLAGS registerof FIG. 1 according to the present invention.

FIG. 5 is a block diagram illustrating the format of a load keyinstruction according to the present invention.

FIG. 6 is a block diagram illustrating the format of a switch keyinstruction according to the present invention.

FIG. 7 is a flowchart illustrating operation of the microprocessor ofFIG. 1 to perform the switch key instruction of FIG. 6 according to thepresent invention.

FIG. 8 is a block diagram illustrating a memory footprint of anencrypted program that includes switch key instructions of FIG. 6according to the present invention.

FIG. 9 is a block diagram illustrating the format of a branch and switchkey instruction according to the present invention.

FIG. 10 is a flowchart illustrating operation of the microprocessor ofFIG. 1 to perform the branch and switch key instruction of FIG. 9according to the present invention.

FIG. 11 is a flowchart illustrating operation of a post-processor, whichis a software utility that may be employed to post-process a program andencrypt it for execution by the microprocessor of FIG. 1 according tothe present invention.

FIG. 12 is a block diagram illustrating the format of a branch andswitch key instruction according to an alternate embodiment of thepresent invention.

FIG. 13 is a block diagram illustrating a chunk address range tableaccording to the present invention.

FIG. 14 is a flowchart illustrating operation of the microprocessor ofFIG. 1 to perform the branch and switch key instruction of FIG. 12according to the present invention.

FIG. 15 is a block diagram illustrating the format of a branch andswitch key instruction according to an alternate embodiment of thepresent invention.

FIG. 16 is a block diagram illustrating a chunk address range tableaccording to the present invention.

FIG. 17 is a flowchart illustrating operation of the microprocessor ofFIG. 1 to perform the branch and switch key instruction of FIG. 15according to the present invention.

FIG. 18 is a flowchart illustrating operation of a post-processor thatmay be employed to post-process a program and encrypt it for executionby the microprocessor of FIG. 1 according to an alternate embodiment ofthe present invention.

FIG. 19 is a flowchart illustrating operation of the microprocessor ofFIG. 1 to accommodate task switching between an encrypted program and aplain text program according to the present invention.

FIG. 20 is a flowchart illustrating operation of system software runningon the microprocessor of FIG. 1 according to the present invention.

FIG. 21 is a block diagram illustrating the fields of the EFLAGSregister of FIG. 1 according to an alternate embodiment of the presentinvention.

FIG. 22 is a flowchart illustrating operation of the microprocessor ofFIG. 1 having an EFLAGS register according to FIG. 21 to accommodatetask switching between multiple encrypted programs according to thepresent invention.

FIG. 23 is a flowchart illustrating operation of the microprocessor ofFIG. 1 having an EFLAGS register according to FIG. 21 to accommodatetask switching between multiple encrypted programs according to thepresent invention.

FIG. 24 is a block diagram illustrating a single register of the keyregister file of FIG. 1 according to an alternate embodiment of thepresent invention.

FIG. 25 is a flowchart illustrating operation of the microprocessor ofFIG. 1 having an EFLAGS register according to FIG. 21 and a key registerfile according to FIG. 24 to accommodate task switching between multipleencrypted programs according to an alternate embodiment of the presentinvention.

FIG. 26 is a flowchart illustrating operation of the microprocessor ofFIG. 1 having an EFLAGS register according to FIG. 21 and a key registerfile according to FIG. 24 to accommodate task switching between multipleencrypted programs according to an alternate embodiment of the presentinvention.

FIG. 27 is a block diagram illustrating portions of the microprocessorof FIG. 1 according to an alternate embodiment of the present invention.

FIG. 28 is a block diagram illustrating in more detail the BTAC of FIG.27 according to the present invention.

FIG. 29 is a block diagram illustrating in more detail the contents of aBTAC entry of FIG. 28 according to the present invention.

FIG. 30 is a flowchart illustrating operation of the microprocessor ofFIG. 27 including the BTAC of FIG. 28 according to the presentinvention.

FIG. 31 is a flowchart illustrating operation of the microprocessor ofFIG. 27 including the BTAC of FIG. 28 according to the presentinvention.

FIG. 32 is a flowchart illustrating operation of the microprocessor ofFIG. 27 to perform a branch and switch key instruction according to thepresent invention.

DETAILED DESCRIPTION OF THE INVENTION

Referring now to FIG. 1, a block diagram illustrating a microprocessor100 according to the present invention is shown. The microprocessor 100includes a pipeline including an instruction cache 102, a fetch unit104, a decode unit 108, execution units 112, and a retire unit 114. Themicroprocessor 100 also includes a microcode unit 132 that providesmicrocode instructions to the execution units 112. The microprocessor100 also includes general purpose registers 118 and an EFLAGS register128 that provide instruction operands to the execution units 112 and areupdated by the retire unit 114 with instruction execution results. Inone embodiment, the EFLAGS register 128 is a conventional x86 EFLAGSregister modified as described in more detail below.

The fetch unit 104 fetches instruction data 106 from the instructioncache 102. The fetch unit 104 operates in one of two modes: a decryptionmode and a plain text mode. An E bit 148 in a control register 144 ofthe fetch unit 104 determines whether the fetch unit 104 is operating indecryption mode (E bit set) or plain text mode (E bit clear). In plaintext mode, the fetch unit 104 treats the instruction data 106 fetchedfrom the instruction cache 102 as non-encrypted, or plain text,instruction data and therefore does not decrypt the instruction data106; however, in decryption mode, the fetch unit 104 treats theinstruction data 106 fetched from the instruction cache 102 as encryptedinstruction data that must be decrypted using decryption keys stored ina master key register file 142 of the fetch unit 104 into plain textinstruction data, as described in more detail below with respect toFIGS. 2 and 3.

The fetch unit 104 also includes a fetch address generator 164 thatgenerates a fetch address 134 that is used to fetch the instruction data106 from the instruction cache 102. The fetch address 134 is alsoprovided to a key expander 152 of the fetch unit 104. The key expander152 selects two keys 172 from the master key register file 142 andperforms an operation on them to generate a decryption key 174, which isprovided as a first input to a mux 154. The second input to the mux 154is binary zeroes 176. The E bit 148 controls the mux 154 such that ifthe E bit 148 is set, the mux 154 selects the decryption key 174 andselects the zeroes 176 if the E bit 148 is clear. The output 178 of themux 154 is provided as a first input to XOR logic 156 which performs aBoolean exclusive-OR (XOR) operation of the fetched instruction data 106with the mux output 178 to generate the plain text instruction data 162.The encrypted instruction data 106 was previously encrypted by XOR-ingits corresponding plain text instruction data with an encryption keyhaving the same value as the decryption key 174. The fetch unit 104 willbe described in more detail below with respect to FIGS. 2 and 3.

The plain text instruction data 162 is provided to the decode unit 108which decodes the stream of plain text instruction data 162, breaks itdown into distinct x86 instructions, and issues them to the executionunits 112 for execution. In one embodiment, the decode unit 108 includesbuffers, or queues, for buffering the stream of plain text instructiondata 162 prior to and during decoding. In one embodiment, the decodeunit 108 includes an instruction translator that translates the x86instructions into microinstructions, or micro-ops, that are executed bythe execution units 112. As the decode unit 108 emits instructions, italso emits a bit for each instruction that proceeds down the pipelinewith the instruction to indicate whether or not the instruction was anencrypted instruction. The bit enables the execution units 112 andretire unit 114 to make decisions and take actions based on whether theinstruction was an encrypted instruction or a plain text instructionwhen it was fetched from the instruction cache 102. In one embodiment,plain text instructions are not allowed to perform certain actionsrelated to instruction decryption mode operation.

In one embodiment, the microprocessor 100 is an x86 architectureprocessor; however, other processor architectures may be employed. Aprocessor is an x86 architecture processor if it can correctly execute amajority of the application programs that are designed to be executed onan x86 processor. An application program is correctly executed if itsexpected results are obtained. In particular, the microprocessor 100executes instructions of the x86 instruction set and includes the x86user-visible register set.

In one embodiment, the microprocessor 100 is configured to provide acomprehensive security architecture referred to as secure execution mode(SEM) in which programs may execute. According to one embodiment,execution of SEM programs can be invoked by several processor events andcannot be blocked by normal (non-SEM) execution. Moreover, a SEMENABLEinstruction can invoke a transition from normal execution mode to SEM.In one implementation, the SEMENABLE instruction has an encryptedparameter, encrypted via a private key of an authorizing entity, whichis a cryptographic mechanism that is distinct from the symmetric keyencryption cryptographic mechanism with which the encrypted program isencrypted. Secure code interface logic within the microprocessor 100uses a public key stored during manufacture to decrypt and authenticatethe parameter. After the parameter is decrypted, SEM initializationlogic initializes the secure mode.

Examples of functions performed by programs executing in SEM includecritical security tasks such as verifying certificates and encryptingdata, monitoring system software activities, verifying the integrity ofsystem software, tracking resource usage, controlling installation ofnew software, and so forth. Embodiments of the SEM are described indetail in U.S. Pat. No. 8,615,799, issued Dec. 24, 2013, which claimspriority to U.S. Provisional Application No. 61/055,980, filed, May 24,2008, each of which is hereby incorporated by reference herein in itsentirety.

In one embodiment, the microprocessor is configured to execute bothnormal mode and secure mode instructions. When operating in normal mode,none of the resources associated with secure execution of secureapplication programs are observable or operational. In secure mode, bothsecure and non-secure applications can be executed, but the non-secureapps do not have access to secure resources. Watchdog logic monitorsveracity of secure code and data and environment and physical attributesof the system for evidence of tampering. SEM interrupt-handling andexception logic is provided that is distinct from normal execution modeinterrupt-handling and exception logic.

In one embodiment, a secure non-volatile memory (not shown) for SEMdata, such as a flash memory, which may be used to store decryptionkeys, is coupled to the microprocessor 100 via a private serial bus, andall the data therein is AES-encrypted and signature-verified. In oneembodiment, the microprocessor 100 includes a small amount ofnon-volatile write-once memory (not shown) that may be used to storedecryption keys, which according to one embodiment is a fuse-embodiednon-volatile storage described in U.S. Pat. No. 7,663,957, which ishereby incorporated by reference in its entirety. An advantage of theinstruction decryption feature described herein is that it provides anextension to the SEM that enables secure programs to be stored in memoryoutside the microprocessor 100 rather than requiring the secure programsto be stored entirely within the microprocessor 100. Thus, the secureprograms may be able to take advantage of the full size and function ofthe memory hierarchy. In one embodiment, some or all of thearchitectural exceptions/interrupts (e.g., page faults, debugbreakpoints, etc.) are disabled when running in SEM mode. In oneembodiment, some or all of the architectural exceptions/interrupts aredisabled when running in decryption mode (i.e., when the E bit 148 isset).

The microprocessor 100 also includes a key register file 124. The keyregister file 124 comprises a plurality of registers from which keys maybe loaded into the master key registers 142 of the fetch unit 104 via aswitch key instruction (discussed below) for use in decrypting fetchedencrypted instruction data 106.

The microprocessor 100 also includes a secure memory area (SMA) 122. Thesecure memory area 122 is used to store decryption keys waiting to beloaded into the key register file 124 by the load key instruction 500 ofFIG. 5. In one embodiment, the secure memory area 122 is only accessibleby SEM programs. That is, the secure memory area 122 is not accessibleby programs executing in normal (i.e., non-SEM) execution mode.Furthermore, the secure memory area 122 is not accessible via theprocessor bus and is not part of the cache memory hierarchy of themicroprocessor 100; hence, for example, a cache flush operation does notcause the contents of the secure memory area 122 to be written tomemory. Special instructions exist within the instruction setarchitecture of the microprocessor 100 to read and write the securememory area 122. According to one embodiment, the secure memory area 122comprises a private RAM as described in more detail in U.S. patentapplication Ser. No. 12/034,503 (CNTR.2349), filed Feb. 20, 2008 (U.S.Publication No. 2008-0256336, Oct. 16, 2008), which is herebyincorporated by reference in its entirety.

Initially, the operating system or other privileged program loads aninitial set of keys into the secure memory area 122, key register file124, and master key register file 142. The microprocessor 100 willinitially use the initial set of keys to decrypt an encrypted program.Additionally, the encrypted program itself may subsequently write newkeys into the secure memory area 122, load the keys from the securememory area 122 into the key register file 124 (via the load keyinstruction), and load the keys from the key register file 124 into themaster key registers 142 (via the switch key instruction).Advantageously, the switch key instruction enables on-the-fly switchingof the set of decryption keys while the encrypted program is running, asdescribed below. The new keys may be composed of immediate data withinthe encrypted program instructions themselves. In one embodiment, afield in the header of the program file indicates whether or not theinstructions of the program are encrypted.

Several advantages may be observed from FIG. 1. First, the plain textinstruction data decrypted from the encrypted instruction data 106 isnever observable outside the microprocessor 100.

Second, the fetch unit 104 embodiment requires the same time to fetchencrypted instruction data as it does to fetch plain text instructiondata. This is critical to security. Otherwise, the time difference mightcreate a vulnerability that an attacker might exploit to break theencryption.

Third, the instruction decryption feature adds no additional clockcycles to the fetch unit 104 over a conventional design. As discussedbelow, the key expander 152 increases the effective length of thedecryption key used to decrypt an encrypted program, and itadvantageously does so without causing the time required to fetchencrypted program data to be longer than the time required to fetchplain text program data. In particular, because the key expander 152operates within the time required by the instruction cache 102 to lookupthe fetch address 134 and provide the instruction data 106, the keyexpander 152 adds no time to the ordinary fetch process. Furthermore,because the mux 154 and key expander 152 together operate within thetime required by the instruction cache 102 to lookup the fetch address134 and provide the instruction data 106, they add no additional time tothe ordinary fetch process. The XOR logic 156 is the only logic added tothe ordinary fetch path, and advantageously, the propagation delayintroduced by the XOR operation 156 is sufficiently small as to avoidrequiring an increase in clock cycle time. Thus, the addition of theinstruction decryption feature adds no additional clock cycles to thefetch unit 104. Furthermore, this is in contrast to a conceivableimplementation that incorporates a complex decryption mechanism, such asS-boxes, to decrypt the instruction data 106, which would require anincrease in cycle time and/or an increase in the number of clock cyclesrequired to fetch and decode the instruction data 106.

Referring now to FIG. 2, a block diagram illustrating in more detail thefetch unit 104 of FIG. 1 is shown. In particular, the details of the keyexpander 152 of FIG. 1 are shown. The advantages of using an XORfunction to decrypt the encrypted instruction data 106 are discussedabove. However, the fast and small XOR function has the disadvantagethat it is inherently a weak encryption method if theencryption/decryption key is re-used. However, if the effective lengthof the key is equal to the length of the program beingencrypted/decrypted, the XOR encryption is a very strong form ofencryption. Advantageously, the microprocessor 100 includes features toincrease the effective length of the decryption key in order to reducethe need to re-use the key. First, the values stored in the master keyregister file 142 are of moderately large size: in one embodiment, theyare the size of a fetch quantum, or block, of the instruction data 106from the instruction cache 102, which is 128 bits (16 bytes). Second,the key expander 152 operates to increase the effective length of thedecryption key, such as to 2,048 bytes according to one embodiment, asdescribed in more detail below. Third, the encrypted program may changethe values in the master key registers 142 on-the-fly while it isexecuting using a switch key instruction (and variants thereof)described below.

In the embodiment of FIG. 2, there are five master key registers 142,indexed as 0 through 4. However, other embodiments are contemplated inwhich a smaller or larger number of master key registers 142 areemployed to increase the effective decryption key length. For example,an embodiment is contemplated in which there are twelve master keyregisters 142. The key expander 152 includes a first mux A 212 and asecond mux B 214 that receive the keys from master key registers 142. Aportion of the fetch address 134 controls the muxes 212/214. In theembodiment of FIG. 2, mux B 214 is a 3:1 mux and mux A 212 is a 4:1 mux.Table 1 describes the master key registers 142 index selected by themuxes 212/214 based on their select input values, and Table 2 shows thegeneration of the select input values and consequent master keyregisters 142 combinations as a function of fetch address 134 bits[10:8].

TABLE 1 MuxB index of selected MuxA index of selected select master keyregister select master key register 00 0 00 1 01 1 01 2 10 2 10 3 11 4

TABLE 2 Fetch Address MuxB-MuxA MuxB MuxA [10:8] Combination selectselect 000 0-1 00 00 001 0-2 00 01 010 0-3 00 10 011 0-4 00 11 100 1-201 01 101 1-3 01 10 110 1-4 01 11 111 2-3 10 10

The output 236 of mux B 214 is provided to an adder/subtractor 218. Theoutput 234 of mux A 212 is provided to a rotater 216. The rotater 216receives bits [7:4] of the fetch address 134, whose value controls thenumber of bytes the rotater 216 rotates the mux output 234. In oneembodiment, the bits [7:4] of the fetch address 134 are incrementedprior to being used by the rotater 216 to control the number of bytes torotate, as shown in Table 3 below. The output 238 of the rotater 216 isprovided to the adder/subtractor 218. The adder/subtractor 218 receivesbit [7] of the fetch address 134. If bit [7] is clear, theadder/subtractor 218 subtracts the output 238 of the rotater 216 fromthe output 236 of mux B 214; otherwise, if bit [7] is set, theadder/subtractor 218 adds the output 238 of the rotater 216 to theoutput 236 of mux B 214. The output of the adder/subtractor 218 is thedecryption key 174 of FIG. 1 that is provided to mux 154. This operationis described in the flowchart of FIG. 3.

Referring now to FIG. 3, a flowchart illustrating operation of the fetchunit 104 of FIG. 2 according to the present invention is shown. Flowbegins at block 302.

At block 302, the fetch unit 104 applies the fetch address 134 to theinstruction cache 102 to begin fetching a 16-byte block of instructiondata 106. The instruction data 106 may be encrypted or it may be plaintext, depending upon whether the instruction data 106 is part of anencrypted or plain text program, which is indicated by the E bit 148.Flow proceeds to block 304.

At block 304, mux A 212 selects a first key 234 and mux B 214 selects asecond key 236 from among the keys 172 of the master key register file142 based on upper fetch address 134 bits. In one embodiment, the fetchaddress 134 bits are employed by the muxes 212/214 to select only uniquecombinations of the key 234/236 pairs. In the embodiment of FIG. 2 inwhich five master key registers 142 are provided, there exists tenpossible unique combinations of the master key registers 142, and tosimply the hardware design, eight of the combinations are employed. Asdiscussed in more detail below, this advantageously yields an effectivekey of 2,048 bytes. However, other embodiments are contemplated with adifferent number of master key registers 142. For example, an embodimentis contemplated in which twelve master key registers 142 are provided,for which there exists 66 possible unique combinations of the master keyregisters 142, such that if 64 of the combinations are employed, thisyields an effective key of 16,384 bytes. Flow proceeds to block 306.

At block 306, the rotater 216 rotates the first key 234 a number ofbytes based on the value of fetch address 134 bits [7:4] to generate arotated first key 238. For example, if the value of fetch address 134bits [7:4] is nine, then the rotater 216 rotates the first key 234 rightnine bytes. Flow proceeds to block 308.

At block 308, the adder/subtractor 218 adds/subtracts the rotated firstkey 238 to/from the second key 236 to produce the decryption key 174 ofFIG. 1. In one embodiment, if bit [7] of the fetch address 134 is one,then the adder/subtractor 218 adds the rotated first key 238 to thesecond key 236; whereas, if bit [7] of the fetch address 134 is zero,then the adder/subtractor 218 subtracts the rotated first key 238 fromthe second key 236. Flow proceeds to decision block 312.

At decision block 312, the mux 154 determines whether the fetched blockof instruction data 106 is from an encrypted or plain text program basedon its control input, which is the E bit 148 from the control register144. If the instruction data 106 is encrypted, flow proceeds to block314; otherwise, flow proceeds to block 316.

At block 314, the mux 154 selects the decryption key 174 and the XORgate 156 performs a Boolean XOR operation on the encrypted instructiondata 106 with the decryption key 174 to generate the plain textinstruction data 162 of FIG. 1. Flow ends at block 314.

At block 316, the mux 154 selects the sixteen bytes of zeroes 176 andthe XOR gate 156 performs a Boolean XOR operation on the instructiondata 106 (which is plain text) with the zeroes to generate the sameplain text instruction data 162. Flow ends at block 316.

As may be observed from FIGS. 2 and 3, the derived decryption key 174that is XORed with a given block of instruction data 106 is a functiononly of the selected master key pair 234/236 and the fetch address 134.This is in contrast to a classical decryption mechanism that is afunction of a previous key value by continually modifying the key andfeeding the new key back into the next cycle. The fact that the deriveddecryption key 174 is a function of only the master key pair and thefetch address 134 is advantageous for at least two reasons. First, asmentioned above, it enables both encrypted and plain text instructiondata 106 to be fetched in the same amount of time and does not increasethe cycle time of the microprocessor 100. Second, it does not increasethe time required to fetch instruction data 106 in the presence of abranch instruction in the program. In one embodiment, a branch predictorreceives the fetch address 134 and predicts the presence, direction, andtarget address of a branch instruction within the block of instructiondata 106 at the fetch address 134. In the embodiment of FIG. 2, the factthat the derived decryption key 174 is a function only of the master keypair 234/236 and the fetch address 134 enables it to generate theappropriate decryption key 174 for the predicted target address duringthe same clock that the block of instruction data 106 at the targetaddress arrives at the XOR gate 156. This avoids the requirement thatwould be generated by a classical decryption key calculation mechanismto perform multiple “rewind” steps to calculate the decryption key forthe target address, thereby incurring additional delay in the case ofencrypted instruction data.

As may also be observed from FIGS. 2 and 3, the rotater 216 andadder/subtractor 218 of the key expander 152 work together toeffectively expand the decryption key length beyond the length of themaster keys 142. In other words, the master keys 142 are collectively 32bytes (2*16 bytes); however, from the perspective of an attackerattempting to determine the decryption keys 174, the rotater 216 andadder/subtractor 218 effectively expand the 32 bytes of master keys 142into a 256-byte expanded key sequence. More specifically, byte n of theeffectively expanded key sequence is:k₀ _(n) ±k₁ _(n+x)where k₀ _(n) is byte n of the first master key 234 and k₁ _(n+x) isbyte n+x of the second master key 236. As described above, the firsteight sets of 16-byte decryption keys 174 generated by the key expander152 are formed by a subtraction, and the second eight sets are formed byan addition. Specifically, the pattern of bytes of each selected masterkey pair 234/236 used to generate the decryption key 174 bytes for eachcorresponding byte of sixteen sequential 16-byte blocks of instructiondata is shown below in Table 3. For example, the notation “15-00” in thefirst line of Table 3 indicates that byte 0 of the second master key 236is subtracted via an eight-bit arithmetic operation from byte 15 of thefirst master key 234 to generate the effective decryption key 174 byteto be XORed with byte 15 of a 16-byte block of instruction data 106.

TABLE 3 15 − 00 14 − 15 13 − 14 12 − 13 11 − 12 10 − 11 09 − 10 08 − 0907 − 08 06 − 07 05 − 06 04 − 05 03 − 04 02 − 03 01 − 02 00 − 01 15 − 0114 − 00 13 − 15 12 − 14 11 − 13 10 − 12 09 − 11 08 − 10 07 − 09 06 − 0805 − 07 04 − 06 03 − 05 02 − 04 01 − 03 00 − 02 15 − 02 14 − 01 13 − 0012 − 15 11 − 14 10 − 13 09 − 12 08 − 11 07 − 10 06 − 09 05 − 08 04 − 0703 − 06 02 − 05 01 − 04 00 − 03 15 − 03 14 − 02 13 − 01 12 − 00 11 − 1510 − 14 09 − 13 08 − 12 07 − 11 06 − 10 05 − 09 04 − 08 03 − 07 02 − 0601 − 05 00 − 04 15 − 04 14 − 03 13 − 02 12 − 01 11 − 00 10 − 15 09 − 1408 − 13 07 − 12 06 − 11 05 − 10 04 − 09 03 − 08 02 − 07 01 − 06 00 − 0515 − 05 14 − 04 13 − 03 12 − 02 11 − 01 10 − 00 09 − 15 08 − 14 07 − 1306 − 12 05 − 11 04 − 10 03 − 09 02 − 08 01 − 07 00 − 06 15 − 06 14 − 0513 − 04 12 − 03 11 − 02 10 − 01 09 − 00 08 − 15 07 − 14 06 − 13 05 − 1204 − 11 03 − 10 02 − 09 01 − 08 00 − 07 15 − 07 14 − 06 13 − 05 12 − 0411 − 03 10 − 02 09 − 01 08 − 00 07 − 15 06 − 14 05 − 13 04 − 12 03 − 1102 − 10 01 − 09 00 − 08 15 + 08 14 + 07 13 + 06 12 + 05 11 + 04 10 + 0309 + 02 08 + 01 07 + 00 06 + 15 05 + 14 04 + 13 03 + 12 02 + 11 01 + 1000 + 09 15 + 09 14 + 08 13 + 07 12 + 06 11 + 05 10 + 04 09 + 03 08 + 0207 + 01 06 + 00 05 + 15 04 + 14 03 + 13 02 + 12 01 + 11 00 + 10 15 + 1014 + 09 13 + 08 12 + 07 11 + 06 10 + 05 09 + 04 08 + 03 07 + 02 06 + 0105 + 00 04 + 15 03 + 14 02 + 13 01 + 12 00 + 11 15 + 11 14 + 10 13 + 0912 + 08 11 + 07 10 + 06 09 + 05 08 + 04 07 + 03 06 + 02 05 + 01 04 + 0003 + 15 02 + 14 01 + 13 00 + 12 15 + 12 14 + 11 13 + 10 12 + 09 11 + 0810 + 07 09 + 06 08 + 05 07 + 04 06 + 03 05 + 02 04 + 01 03 + 00 02 + 1501 + 14 00 + 13 15 + 13 14 + 12 13 + 11 12 + 10 11 + 09 10 + 08 09 + 0708 + 06 07 + 05 06 + 04 05 + 03 04 + 02 03 + 01 02 + 00 01 + 15 00 + 1415 + 14 14 + 13 13 + 12 12 + 11 11 + 10 10 + 09 09 + 08 08 + 07 07 + 0606 + 05 05 + 04 04 + 03 03 + 02 02 + 01 01 + 00 00 + 15 15 + 15 14 + 1413 + 13 12 + 12 11 + 11 10 + 10 09 + 09 08 + 08 07 + 07 06 + 06 05 + 0504 + 04 03 + 03 02 + 02 01 + 01 00 + 00

Given appropriate master key 142 values, the expanded keys generated bythe key expander 152 may exhibit good statistical properties thatsignificantly hinder the common attack on XOR-based encryption, whichinvolves shifting an encrypted block of text by the key length andXORing the encrypted blocks together, as discussed below in more detail.The net effect of the key expander 152 on a given selected master keypair 234/236 is that the span between two instruction data 106 bytes ofthe program that are encrypted with the same exact key can be up to 256bytes in the embodiment shown. Other embodiments are contemplated havingdifferent instruction data 106 block sizes and master key 142 lengthsthat yield different values for the maximum span between two instructiondata 106 bytes encrypted with the same key.

The plurality of master key registers 142 and muxes 212/214 of the keyexpander 152 functioning to select the master key pair 234/236 alsooperate to extend the effective key length. As discussed above, in theembodiment of FIG. 2 in which five master key registers 142 areprovided, there exists ten possible unique combinations of the masterkey registers 142, and the muxes 212/214 operate to select eight of theten possible combinations. The 256-byte effective key length per keypair 234/236 of Table 3 in conjunction with the eight uniquecombinations of key pairs 234/236 yields an effective key length of2,048 bytes. That is, the span between two instruction data 106 bytes ofthe program that are encrypted with the same exact key can be up to2,048 bytes in the embodiment shown.

To further appreciate the advantages afforded by the key expander 152, abrief explanation of a common method of attack on XOR-based encryptionschemes is given. If the key length employed by an XOR encryptionalgorithm is shorter than the length of the program instruction data tobe encrypted/decrypted, the key must be reused for potentially manybytes, depending upon the length of the program. This vulnerabilityleads to a classic way to break an XOR instruction encryption scheme.First, the attacker attempts to determine the length of the repeatingkey, which is n+1 in the conventional example of lines (1) through (3)below. Second, the attacker assumes each key-length block of instructiondata is encrypted with the same key. To illustrate, consider twokey-length blocks of data encrypted according to a conventional XORencryption algorithm:b_(n) _(0^) k_(n), . . . ,b₁ _(0^) k_(1,)b₀ _(0^) k₀  (1)b_(n) _(1^) k_(n), . . . ,b₁ _(1^) k_(1,)b₀ _(1^) k_(0,)  (2)where b_(n) ₀ is byte n of the first key-length block of data beingencrypted, b_(n) ₁ is byte n of the second key-length block of databeing encrypted, and k_(n) is byte n of the key. Third, the attackerXORs the two blocks together, in which case the key portions cancel eachother leaving:b_(n) _(0^) b_(n) ₁ _(, . . . ,)b₁ _(0^) b₁ ₁ _(,)b₀ _(0^) b₀ ₁_(.)  (3)

Finally, since the resultant bytes are a function of only two plain-textbytes, the attacker employs statistical analysis of plain-textfrequencies to try to derive the plain-text byte values.

In contrast, the pattern of encrypted instruction data 106 bytesaccording to the embodiment of FIGS. 2 and 3 are described below inlines (4) and (5):b_(n) _(0^) ₍k_(n) _(x) ±k₀ _(y) ₎, . . . ,b₁ _(0^) ₍k₁ _(x) ±k₂ _(y)_(),)b₀ _(0^) ₍k₀ _(x) ±k₁ _(y) ₎  (4)b_(n) _(1^) ₍k_(n) _(x) ±k₁ _(y) ₎, . . . ,b₁ _(1^) ₍k₁ _(x) ±k₃ _(y)_(),)b₀ _(1^) ₍k₀ _(x) ±k₂ _(y) _(),)  (5)where b_(n) ₀ denotes byte n of a first 16-byte block of instructiondata being encrypted, b_(n) ₁ denotes byte n of a next 16-byte block ofinstruction data being encrypted, k_(n) _(x) denotes byte n of a masterkey x, and k_(n) _(y) denotes byte n of a master key y. As discussedabove, the master keys x and y are different keys. Assuming the eightdifferent combinations of the master key pair 234/236 afforded by anembodiment with five master key registers 142, each byte within a2,048-byte sequence is XORed with a different combination of twoindependent master key 142 bytes. Thus, when encrypted data is shiftedin any fashion within the 256-byte block and XORed together thereremains a complex component of the two master keys left in the resultbyte such that, unlike the result in line (3), the result is a functionof more than just plain text bytes. For example, if the attacker choosesto align and XOR 16-byte blocks within the same 256-byte block such thatthe same key 0 bytes are used in each term, the result for byte 0 isshown here in line (6) having a complex component of the two master keysleft in the result byte:b₀ _(0^) ₍k₀ _(x) ±k₁ _(y) ₎ _(^) b₀ _(1^) ₍k₀ _(x) ±k_(n) _(y)_(),)  (6)where n is different than 1.

Still further, if the attacker chooses to align and XOR 16-byte blocksfrom different 256-byte blocks, the result for byte 0 is shown here inline (7):b₀ _(0^) ₍k₀ _(x) ±k₁ _(y) ₎ _(^) b₀ _(1^) ₍k₀ _(u) ±k_(n) _(v)_(),)  (7)where at least one of the master keys u and v is different than bothmaster keys x and y. Simulation of XORing the effective key bytesgenerated from random master key values has displayed a relativelysmooth distribution of the resulting ₍k₀ _(x) ±k₁ _(y) ₎ _(^) ₍k₀ _(u)±k_(n) _(v) ₎ values.

Of course, if the attacker chooses to align and XOR 16-byte blocks fromdifferent 2,048-byte blocks, the attacker may achieve a similar resultas shown in line (3). However, the following is noted. First, someprograms, such as security-related programs, may be shorter than 2,048bytes. Second, the statistical correlation between instruction bytesthat are 2,048 bytes apart is likely very small, thus increasing thedifficulty of successfully breaking the scheme. Third, as mentionedabove, embodiments are contemplated in which the number of the masterkey registers 142 may be increased to further extend the effectivelength of the decryption key, such as to 16,384 by providing twelvemaster key registers 142, for example, or longer. Fourth, the load keyinstruction 500 and switch key instruction 600 discussed below provide ameans for the programmer to load new values into the master key registerfile 142 to effectively extend the length of the key greater than 2,048and, if necessary, to extend the key length to the entire length ofprogram.

Referring now to FIG. 4, a block diagram illustrating the fields of theEFLAGS register 128 of FIG. 1 according to the present invention isshown. According to the embodiment of FIG. 4, the EFLAGS register 128includes the standard x86 EFLAGS register bits 408; however, theembodiment of FIG. 4 uses for new purposes described herein a bit thatis conventionally RESERVED by the x86 architecture. In particular, theEFLAGS register 128 includes an E bit field 402. The E bit 402 is usedto restore the control register 144 E bit 148 value in order tofacilitate switching between encrypted and plain text programs and/orbetween different encrypted programs, as described in more detail below.The E bit 402 indicates whether the currently executing program isencrypted. The E bit 402 is set if the currently executing program isencrypted; otherwise, it is clear. Advantageously, the EFLAGS register128 gets saved when an interrupting event occurs that switches controlto another program, such as an interrupt, exception (such as a pagefault), or task switch. Conversely, the EFLAGS register 128 getsrestored when control returns to the program that was interrupted by theinterrupting event. The microprocessor 100 is configured such that,advantageously, when the EFLAGS register 128 is restored, themicroprocessor 100 also updates the value of the control register 144 Ebit 148 with the value of the EFLAGS register 128 E bit 402, asdescribed in more detail below. Therefore, if an encrypted program wasexecuting when the interrupting event occurred, i.e., the fetch unit 104was in decryption mode, when control is returned to the encryptedprogram, the fetch unit 104 is restored to decryption mode by thesetting of the E bit 148 via the restored E bit 402. In one embodiment,the E bit 148 and the E bit 402 are the same physical hardware bit suchthat saving the value of the EFLAGS register 128 E bit 402 saves the Ebit 148 and restoring a value the EFLAGS register 128 E bit 402 restoresthe E bit 148.

Referring now to FIG. 5, a block diagram illustrating the format of aload key instruction 500 according to the present invention is shown.The load key instruction 500 includes an opcode 502 field that uniquelyidentifies the load key instruction 500 within the instruction set ofthe microprocessor 100. In one embodiment, the opcode field 502 value is0FA6/4 (in x86 notation). The load key instruction 500 includes twooperands: a key register file destination address 504 and an SMA sourceaddress 506. The SMA address 506 is an address of a location within thesecure memory area 122 in which a 16-byte master key is stored. The keyregister file address 504 specifies a register within the key registerfile 124 into which the 16-byte master key from the secure memory area122 is to be loaded. In one embodiment, if a program attempts to executea load key instruction 500 when the microprocessor 100 is not in secureexecution mode, an invalid instruction exception is taken, and if theSMA address 506 value is outside the valid secure memory area 122, ageneral protection exception is taken. In one embodiment, if a programattempts to execute a load key instruction 500 when the microprocessor100 is not in the highest privilege level (e.g., x86 ring 0), an invalidinstruction exception is taken. In some instances, the constituent partsof the 16-byte master keys may be included in an immediate data field ofthe encrypted instructions. The immediate data may be moved piece bypiece into the secure memory area 122 to construct the 16-byte keys.

Referring now to FIG. 6, a block diagram illustrating the format of aswitch key instruction 600 according to the present invention is shown.The switch key instruction 600 includes an opcode 602 field thatuniquely identifies the switch key instruction 600 within theinstruction set of the microprocessor 100. The switch key instruction600 also includes a key register file index field 604 that specifies thefirst of a sequence of registers within the key register file 124 fromwhich the keys will be loaded into the master key registers 142. In oneembodiment, if a program attempts to execute a switch key instruction600 when the microprocessor 100 is not in secure execution mode, aninvalid instruction exception is taken. In one embodiment, if a programattempts to execute a switch key instruction 600 when the microprocessor100 is not in the highest privilege level (e.g., x86 ring 0), an invalidinstruction exception is taken. In one embodiment, the switch keyinstruction 600 is atomic, i.e., non-interruptible, as are the otherinstructions described herein that loads the master key registers 142,such as the branch and switch key instructions described below.

Referring now to FIG. 7, a flowchart illustrating operation of themicroprocessor 100 of FIG. 1 to perform the switch key instruction 600of FIG. 6 according to the present invention is shown. Flow begins atblock 702.

At block 702, the decode unit 108 decodes a switch key instruction 600and traps to the microcode routine in the microcode unit 132 thatimplements the switch key instruction 600. Flow proceeds to block 704.

At block 704, the microcode loads the master key registers 142 from thekey register file 124 based on the key register file index field 604.Preferably, the microcode loads n keys from n adjacent registers of thekey register file 124 beginning at the key register specified in the keyregister file index field 604 into the master key registers 142, where nis the number of master key registers 142. In one embodiment, n may bespecified within an additional field of the switch key instruction 600to be less than the number of master key registers 142. Flow proceeds toblock 706.

At block 706, the microcode causes the microprocessor 100 to branch tothe next sequential x86 instruction, i.e., to the instruction after theswitch key instruction 600, which causes all x86 instructions in themicroprocessor 100 to be flushed that are newer than the switch keyinstruction 600 and which causes all micro-ops in the microprocessor 100to be flushed that are newer than the micro-op that branches to the nextsequential x86 instruction. This includes all instruction bytes 106fetched from the instruction cache 102 that may be waiting in buffers ofthe fetch unit 104 to be decrypted and the decode unit 108 to bedecoded. Flow proceeds to block 708.

At block 708, as a result of the branch to the next sequentialinstruction at block 706, the fetch unit 104 begins fetching anddecrypting instruction data 106 from the instruction cache 102 using thenew set of key values loaded into the master key registers 142 at block704. Flow ends at block 708.

As may be observed from FIG. 7, the switch key instruction 600advantageously enables a currently executing encrypted program to changethe values in the master key registers 142 being used to decrypt theencrypted program when fetched from the instruction cache 102. Thison-the-fly changing of the master key register 142 values may beemployed to increase the effective key length used to encrypt theprogram beyond the length inherently provided by the fetch unit 104(2,048 bytes according to the embodiment of FIG. 2, for example), asillustrated in FIG. 8, thereby greatly increasing the difficulty of anattacker to breach the security of the computer system that incorporatesthe microprocessor 100 if FIG. 1.

Referring now to FIG. 8, a block diagram illustrating a memory footprint800 of an encrypted program that includes switch key instructions 600 ofFIG. 6 according to the present invention is shown. The encryptedprogram memory footprint 800 of FIG. 8 comprises sequential chunks ofbytes of instruction data. A chunk is a sequence of instruction databytes that are to be decrypted (because they have been previouslyencrypted) with the same set of master key register 142 values. Thus,each switch key instruction 600 defines the boundary between two chunks.That is, the upper and lower boundaries of the chunks are defined by thelocation of a switch key instruction 600 (or, in the case of the firstchunk of the program, the upper boundary is the beginning of theprogram; and, in the case of the last chunk of the program, the lowerboundary is the end of the program). Thus, each chunk of instructiondata bytes will be decrypted by the fetch unit 104 with a different setof master key register 142 values, namely the values loaded into themaster key register file 142 via the switch key instruction 600 of thepreceding chunk. A post-processor that encrypts the program knows thememory address of the location of each switch key instruction 600 anduses that information, namely the relevant address bits of the fetchaddress, along with the switch key instruction 600 key values togenerate the encryption key bytes to encrypt the program. Some objectfile formats allow the programmer to specify the memory location atwhich the program is to be loaded, or at least alignment to a particularsize, such as a page boundary, which provides sufficient addressinformation to encrypt the program. Additionally, some operating systemsload programs on a page boundary by default.

The switch key instructions 600 may be located anywhere within theprogram. However, if each switch key instruction 600 loads unique valuesinto the master key registers 142 to be used to decrypt the nextsequential chunk of instruction data bytes, and if the switch keyinstructions 600 (and load key instructions 400, if necessary) areplaced such that the length of each chunk is less than or equal to theeffective key length afforded by the fetch unit 104 (e.g., 2,048 bytesin the embodiment of FIG. 2), then the program can be encrypted with akey whose effective length is as long as the entire program, therebyproviding very strong encryption. Furthermore, even if the switch keyinstructions 600 are employed such that the effective key length isshorter than the length of the encrypted program, i.e., even if the sameset of master key register 142 values are used to encrypt multiplechunks of the program, varying the size of the chunks (e.g., not makingthem all 2,048 bytes) may make the attacker's task more difficultbecause the attacker must first determine where chunks encrypted withthe same set of master key register 142 values reside and the lengths ofeach of these variable-length chunks.

It is noted that the on-the-fly key switch performed by the switch keyinstruction 600 requires a relatively large number of clock cycles toexecute primarily due to the pipeline flush. Additionally, according toone embodiment, the switch key instruction 600 is implemented primarilyin microcode, which is generally slower than non-microcode-implementedinstructions. Consequently, the impact of switch key instructions 600 onperformance should be taken into account by the code developer, whichmay require a balancing of execution speed and security for a givenapplication.

Referring now to FIG. 9, a block diagram illustrating the format of abranch and switch key instruction 900 according to the present inventionis shown. First, a description of the need for the branch and switch keyinstruction 900 will be provided.

According to the embodiments described above, each 16-byte block ofinstruction data of the encrypted program to be fetched by the fetchunit 104 must be encrypted (XORed) with the same 16-bytes of decryptionkey 174 values that will be used by the fetch unit 104 to decrypt (XOR)the fetched block of instruction data 106. As described above, thedecryption key 174 byte values are computed by the fetch unit 104 basedon two inputs: the master key byte values stored in the master keyregisters 142 and certain bits of the fetch address 134 of the 16-byteblock of instruction data 106 being fetched (bits [10:4] in the exampleembodiment of FIG. 2). Therefore, a post-processor that encrypts theprograms to be executed by the microprocessor 100 knows both the masterkey byte values that will be stored in the master key registers 142 andthe address, or more specifically the relevant address bits, at whichthe encrypted program will be loaded into memory and from which themicroprocessor 100 will subsequently fetch the blocks of instructiondata of the encrypted program. From this information, the post-processorgenerates the appropriate decryption key 174 value to use to encrypteach 16-byte instruction data block of the program.

As discussed above, when a branch instruction is predicted and/orexecuted, the fetch unit 104 uses the branch target address to updatethe fetch address 134. As long as an encrypted program never changes themaster key values in the master key registers 142 (via the switch keyinstruction 600), the presence of branch instructions is handledtransparently by the fetch unit 104. That is, the fetch unit 104 usesthe same master key register 142 values to calculate the decryption key174 to decrypt the block of instruction data 106 that includes thebranch instruction as the block of instruction data 106 that includesthe instructions at the target address. However, the ability of theprogram to change the master key register 142 values (via the switch keyinstruction 600) implies the possibility that the fetch unit 104 willuse one set of master key register 142 values to calculate thedecryption key 174 to decrypt the block of instruction data 106 thatincludes the branch instruction and a different set of master keyregister 142 values to calculate the decryption key 174 to decrypt theblock of instruction data 106 that includes the instructions at thetarget address. One way to avoid this problem is to restrict branchtarget addresses to be within the same program chunk. Another solutionis provided by the branch and switch key instruction 900 of FIG. 9.

Referring again to FIG. 9, a block diagram illustrating the format of abranch and switch key instruction 900 according to the present inventionis shown. The branch and switch key instruction 900 includes an opcode902 field that uniquely identifies the branch and switch key instruction900 within the instruction set of the microprocessor 100. The branch andswitch key instruction 900 also includes a key register file index field904 that specifies the first of a sequence of registers within the keyregister file 124 from which the keys will be loaded into the master keyregisters 142. The branch and switch key instruction 900 also includes abranch information field 906 that includes information typical of branchinstructions, such as information for computing a target address and abranch condition. In one embodiment, if a program attempts to execute abranch and switch key instruction 900 when the microprocessor 100 is notin secure execution mode, an invalid instruction exception is taken. Inone embodiment, if a program attempts to execute a switch keyinstruction 900 when the microprocessor 100 is not in the highestprivilege level (e.g., x86 ring 0), an invalid instruction exception istaken. In one embodiment, the branch and switch key instruction 900 isatomic.

Referring now to FIG. 10, a flowchart illustrating operation of themicroprocessor 100 of FIG. 1 to perform the branch and switch keyinstruction 900 of FIG. 9 according to the present invention is shown.Flow begins at block 1002.

At block 1002, the decode unit 108 decodes a branch and switch keyinstruction 900 and traps to the microcode routine in the microcode unit132 that implements the branch and switch key instruction 900. Flowproceeds to block 1004.

At block 1006, the microcode resolves the branch direction (i.e., takenor not taken) and target address. It is noted that in the case ofunconditional type branch instructions, the direction is always taken.Flow proceeds to decision block 1008.

At decision block 1008, the microcode determines whether the directionresolved at block 1006 is taken. If so, flow proceeds to block 1014;otherwise, flow proceeds to block 1012.

At block 1012, the microcode does not switch keys or branch to thetarget address, since the branch was not taken. Flow ends at block 1012.

At block 1014, the microcode loads the master key registers 142 from thekey register file 124 based on the key register file index field 904.Preferably, the microcode loads n keys from n adjacent registers of thekey register file 124 beginning at the key register specified in the keyregister file index field 904 into the master key registers 142, where nis the number of master key registers 142. In one embodiment, n may bespecified within an additional field of the branch and switch keyinstruction 900 to be less than the number of master key registers 142.Flow proceeds to block 1016.

At block 1016, the microcode causes the microprocessor 100 to branch tothe target address resolved at block 1006, which causes all x86instructions in the microprocessor 100 to be flushed that are newer thanthe branch and switch key instruction 900 and which causes all micro-opsin the microprocessor 100 to be flushed that are newer than the micro-opthat branches to the target address. This includes all instruction bytes106 fetched from the instruction cache 102 that may be waiting inbuffers of the fetch unit 104 to be decrypted and the decode unit 108 tobe decoded. Flow proceeds to block 1018.

At block 1018, as a result of the branch to the target address at block1016, the fetch unit 104 begins fetching and decrypting instruction data106 from the instruction cache 102 using the new set of key valuesloaded into the master key registers 142 at block 1014. Flow ends atblock 1018.

Referring now to FIG. 11, a flowchart illustrating operation of apost-processor, which is a software utility that may be employed topost-process a program and encrypt it for execution by themicroprocessor 100 of FIG. 1 according to the present invention isshown. Flow begins at block 1102.

At block 1102, the post-processor receives an object file of a program.According to one embodiment, the object file includes only branchinstructions whose target address may be determined before run-time ofthe program, such as a branch instruction that specifies a fixed targetaddress. Another type of branch instruction whose target address may bedetermined before run-time of the program, for example, is a relativebranch instruction that includes an offset that is added to the branchinstruction's memory address to calculate the branch target address. Incontrast, an example of a branch instruction whose target address maynot be determined before run-time of the program is branch instructionwhose target address is calculated from operands in registers or memorythat may change during execution of the program. Flow proceeds to block1104.

At block 1104, the post-processor replaces each inter-chunk branchinstruction with a branch and switch key instruction 900 having anappropriate key register file index field 904 value based on the chunkinto which the target address of the branch instruction falls. Asdescribed above with respect to FIG. 8, a chunk is a sequence ofinstruction data bytes that are to be decrypted with the same set ofmaster key register 142 values. Thus, an inter-chunk branch instructionis a branch instruction whose target address is within a chunk that isdifferent than the chunk which contains the branch instruction itself.It is noted that intra-chunk branches, i.e., branches whose targetaddress is within the same chunk that contains the branch instructionitself, need not be replaced. It is noted that the programmer and/orcompiler that creates the source file from which the object file isgenerated may explicitly include the branch and switch key instructions900 as needed, thereby alleviating the need for the post-processor to doso. Flow proceeds to block 1106.

At block 1106, the post-processor encrypts the program. Thepost-processor is aware of the memory location and master key register142 values associated with each chunk, which it uses to encrypt theprogram. Flow ends at block 1106.

Referring now to FIG. 12, a block diagram illustrating the format of abranch and switch key instruction 1200 according to an alternateembodiment of the present invention is shown. Advantageously, the branchand switch key instruction 1200 of FIG. 12 accommodates branching whenthe target address is not known pre-run-time, as discussed in moredetail below. The branch and switch key instruction 1200 includes anopcode 1202 field that uniquely identifies the branch and switch keyinstruction 1200 within the instruction set of the microprocessor 100.The branch and switch key instruction 1200 also includes a branchinformation field 906 similar to the same field in the branch and switchkey instruction 900 of FIG. 9. In one embodiment, if a program attemptsto execute a branch and switch key instruction 1200 when themicroprocessor 100 is not in secure execution mode, an invalidinstruction exception is taken. In one embodiment, if a program attemptsto execute a branch and switch key instruction 1200 when themicroprocessor 100 is not in the highest privilege level (e.g., x86 ring0), an invalid instruction exception is taken. In one embodiment, thebranch and switch key instruction 1200 is atomic.

Referring now to FIG. 13, a block diagram illustrating a chunk addressrange table 1300 according to the present invention is shown. The table1300 includes a plurality of entries. Each entry is associated with adifferent chunk of the encrypted program. Each entry includes an addressrange field 1302 and a key register file index field 1304. The addressrange field 1302 specifies the memory address range of the chunk. Thekey register file index field 1304 specifies the index into the keyregister file 124 of the registers storing the key values that must beloaded by the branch and switch key instruction 1200 into the master keyregister 142 to be used by the fetch unit 104 to decrypt the chunk. Asdiscussed below with respect to FIG. 18, the table 1300 is loaded intothe microprocessor 100 before a branch and switch key instruction 1200is executed that requires access to the table 1300.

Referring now to FIG. 14, a flowchart illustrating operation of themicroprocessor 100 of FIG. 1 to perform the branch and switch keyinstruction 1200 of FIG. 12 according to the present invention is shown.Flow begins at block 1402.

At block 1402, the decode unit 108 decodes a branch and switch keyinstruction 1200 and traps to the microcode routine in the microcodeunit 132 that implements the branch and switch key instruction 1200.Flow proceeds to block 1404.

At block 1406, the microcode resolves the branch direction (i.e., takenor not taken) and target address. Flow proceeds to decision block 1408.

At decision block 1408, the microcode determines whether the directionresolved at block 1406 is taken. If so, flow proceeds to block 1414;otherwise, flow proceeds to block 1412.

At block 1412, the microcode does not switch keys or branch to thetarget address, since the branch was not taken. Flow ends at block 1412.

At block 1414, the microcode looks up the target address resolved atblock 1406 in the table 1300 of FIG. 13 to obtain the key register fileindex field 1304 value of the chunk into which the target address falls.The microcode then loads the master key registers 142 from the keyregister file 124 based on the key register file index field 1304.Preferably, the microcode loads n keys into the master key registers 142from n adjacent registers of the key register file 124 at the keyregister file index field 1304 value, where n is the number of masterkey registers 142. In one embodiment, n may be specified within anadditional field of the branch and switch key instruction 1200 to beless than the number of master key registers 142. Flow proceeds to block1416.

At block 1416, the microcode causes the microprocessor 100 to branch tothe target address resolved at block 1406 and causes all x86instructions in the microprocessor 100 to be flushed that are newer thanthe branch and switch key instruction 1200 and which causes allmicro-ops in the microprocessor 100 to be flushed that are newer thanthe micro-op that branches to the target address. This includes allinstruction bytes 106 fetched from the instruction cache 102 that may bewaiting in buffers of the fetch unit 104 to be decrypted and the decodeunit 108 to be decoded. Flow proceeds to block 1418.

At block 1418, as a result of the branch to the target address at block1416, the fetch unit 104 begins fetching and decrypting instruction data106 from the instruction cache 102 using the new set of key valuesloaded into the master key registers 142 at block 1414. Flow ends atblock 1418.

Referring now to FIG. 15, a block diagram illustrating the format of abranch and switch key instruction 1500 according to an alternateembodiment of the present invention is shown. The branch and switch keyinstruction 1500 of FIG. 15 and its operation is similar to the branchand switch key instruction 1200 of FIG. 12; however, rather than loadingthe master key registers 142 from the key register file 124, the branchand switch key instruction 1500 loads the master key registers 142 fromthe secure memory area 122, as described below.

Referring now to FIG. 16, a block diagram illustrating a chunk addressrange table 1600 according to the present invention is shown. The table1600 of FIG. 16 is similar to the table 1300 of FIG. 13; however, ratherthan a key register index field 1304, the table 1600 includes an SMAaddress field 1604. The SMA address field 1604 specifies the addresswithin the secure memory area 122 of the locations storing the keyvalues that must be loaded by the branch and switch key instruction 1500into the master key register 142 to be used by the fetch unit 104 todecrypt the chunk. As discussed below with respect to FIG. 18, the table1600 is loaded into the microprocessor 100 before a branch and switchkey instruction 1500 is executed that requires access to the table 1600.In one embodiment, many of the lower bits of the secure memory area 122address need not be stored in the SMA address field 1604, particularlysince the number of locations in the secure memory area 122 storing theset of keys is large (e.g., 16 bytes×5) and the set may be aligned on aset-size boundary.

Referring now to FIG. 17, a flowchart illustrating operation of themicroprocessor 100 of FIG. 1 to perform the branch and switch keyinstruction 1500 of FIG. 15 according to the present invention is shown.Flow begins at block 1702. Most of the blocks of the flowchart of FIG.17 are similar to the blocks of FIG. 14 and are thus similarly numbered.However, block 1414 is replaced with block 1714 in which the microcodelooks up the target address resolved at block 1406 in the table 1600 ofFIG. 16 to obtain the SMA address field 1604 value of the chunk intowhich the target address falls. The microcode then loads the master keyregisters 142 from the secure memory area 122 based on the SMA addressfield 1604 value. Preferably, the microcode loads n keys into the masterkey registers 142 from n adjacent 16-byte locations of the secure memoryarea 122 at the SMA address field 1604 value, where n is the number ofmaster key registers 142. In one embodiment, n may be specified withinan additional field of the branch and switch key instruction 1500 to beless than the number of master key registers 142.

Referring now to FIG. 18, a flowchart illustrating operation of apost-processor that may be employed to post-process a program andencrypt it for execution by the microprocessor 100 of FIG. 1 accordingto an alternate embodiment of the present invention is shown. Flowbegins at block 1802.

At block 1802, the post-processor receives an object file of a program.According to one embodiment, the object file includes branchinstructions whose target address may be determined before run-time ofthe program as well as branch instructions whose target address may notbe determined before run-time of the program. Flow proceeds to block1803.

At block 1803, the post-processor creates a chunk address range table1300 of FIG. 13 or 1600 of FIG. 16 for inclusion in the object file. Inone embodiment, the operating system loads the table 1300/1600 into themicroprocessor 100 prior to loading and running the encrypted program sothat the branch and switch key instructions 1200/1500 may have access toit. In one embodiment, the post-processor inserts instructions into theprogram that load the table 1300/1600 into the microprocessor 100 beforeany branch and switch key instructions 1200/1500 are executed. Flowproceeds to block 1804.

At block 1804, similar to the operation described above with respect toblock 1104 of FIG. 11, the post-processor replaces eachpre-run-time-target address-determinable inter-chunk branch instructionwith a branch and switch key instruction 900 of FIG. 9 having anappropriate key register file index field 904 value based on the chunkinto which the target address of the branch instruction falls. Flowproceeds to block 1805.

At block 1805, the post-processor replaces each run-time-only-targetaddress-determinable branch instruction with a branch and switch keyinstruction 1200 of FIG. 12 or 1500 of FIG. 15, depending upon whichtype of table 1300/1600 was created at block 1803. Flow proceeds toblock 1806.

At block 1806, the post-processor encrypts the program. Thepost-processor is aware of the memory location and master key register142 values associated with each chunk, which it uses to encrypt theprogram. Flow ends at block 1806.

Referring now to FIG. 19, a flowchart illustrating operation of themicroprocessor 100 of FIG. 1 to accommodate task switching between anencrypted program and a plain text program according to the presentinvention is shown. Flow begins at block 1902.

At block 1902, the E bit 402 of the EFLAGS register 128 and the E bit148 of the control register 144 of FIG. 1 are cleared by a reset of themicroprocessor 100. Flow proceeds to block 1904.

At block 1904, after executing its reset microcode that performs itsinitialization, the microprocessor 100 begins fetching and executinguser program instructions, such as system firmware, which are plain textprogram instructions. In particular, because the E bit 148 is clear, thefetch unit 104 treats the fetched instruction data 106 as plain textinstructions, as described above. Flow proceeds to block 1906.

At block 1906, system software (such as the operating system, firmware,BIOS, etc.) receives a request to run an encrypted program. In oneembodiment, the request to run an encrypted program is accompanied by orindicated by a switch to the secure execution mode of the microprocessor100, discussed above. In one embodiment, the microprocessor 100 is onlyallowed to operate in decryption mode (i.e., with the E bit 148 set)when operating in the secure execution mode. In one embodiment, themicroprocessor 100 is only allowed to operate in decryption mode whenoperating in a system management mode, such as the well-known SMM of thex86 architecture. Flow proceeds to block 1908.

At block 1908, the system software loads the master key registers 142with their initial values associated with the first chunk of the programthat will execute. In one embodiment, the system software executes aswitch key instruction 600 to load the master key registers 142. Priorto loading of the master key registers 142, the key register file 124may be loaded using one or more load key instructions 400. In oneembodiment, prior to the loading of the master key registers 142 and keyregister file 124, the secure memory area 122 may be written with keyvalues via a secure channel according to well-known techniques, such asan AES- or RSA-encrypted channel, to avoid snooping of the values by anattacker. As discussed above, the values may be stored in a securenon-volatile memory, such as a flash memory, coupled to themicroprocessor 100 via a private serial bus, or stored in a non-volatilewrite-once memory of the microprocessor 100. As discussed above, theprogram may be included in a single chunk. That is, the program mayinclude no switch key instructions 600 such that the entire program isdecrypted with a single set of master key register 142 values. Flowproceeds to block 1916.

At block 1916, as control is transferred to the encrypted program, themicroprocessor 100 sets the EFLAGS register 128 E bit 402 to indicatethat the currently executing program is encrypted, and sets the controlregister 144 E bit 148 to place the fetch unit 104 in decryption mode.The microprocessor 100 also causes the pipeline to be flushed ofinstructions, similar to the flush operation performed at block 706 ofFIG. 7. Flow proceeds to block 1918.

At block 1918, the fetch unit 104 fetches the instructions 106 of theencrypted program and decrypts and executes them in decryption mode asdescribed above with respect to FIGS. 1 through 3. Flow proceeds toblock 1922.

At block 1922, as the microprocessor 100 is fetching and executing theencrypted program, the microprocessor 100 receives an interruptingevent. The interrupting event may be an interrupt, an exception (such asa page fault), or a task switch, for example. When an interrupting eventoccurs, all pending instructions within the microprocessor 100 pipelineare flushed. Therefore, if there are any instructions in the pipelinethat were fetched as encrypted instructions, they are flushed.Furthermore, all instruction bytes fetched from the instruction cache102 that may be waiting in buffers of the fetch unit 104 to be decryptedand the decode unit 108 to be decoded are flushed. In one embodiment,microcode is invoked in response to the interrupting event. Flowproceeds to block 1924.

At block 1924, the microprocessor 100 saves the EFLAGS register 128(along with the other architectural state of the microprocessor 100,including the current instruction pointer value of the interruptedencrypted program) to a stack memory. Advantageously, the E bit 402value of the encrypted program is saved so that it may be subsequentlyrestored (at block 1934). Flow proceeds to block 1926.

At block 1926, as control is transferred to the new program (e.g.,interrupt handler, exception handler, or new task), the microprocessor100 clears the EFLAGS register 128 E bit 402 and the control register144 E bit 148, since the new program is a plain text program. That is,the embodiment of FIG. 19 assumes only one encrypted program is allowedto run at a time on the microprocessor 100 and an encrypted program wasalready running, i.e., was interrupted. However, see FIGS. 21 through 26for a description of alternate embodiments. Flow proceeds to block 1928.

At block 1928, the fetch unit 104 fetches the instructions 106 of thenew program in plain text mode as described above with respect to FIGS.1 through 3. In particular, the clear value of the control register 144E bit 148 controls mux 154 such that the instruction data 106 is XORedwith the zeroes 176 such that the instruction data 106 is not decrypted.Flow proceeds to block 1932.

At block 1932, the new program executes a return from interruptinstruction (e.g., x86 IRET) or similar instruction to cause control toreturn to the encrypted program. In one embodiment, the return frominterrupt instruction is implemented in microcode. Flow proceeds toblock 1934.

At block 1934, in response to the return from interrupt instruction, ascontrol is transferred back to the encrypted program, the microprocessor100 restores the EFLAGS register 128, thereby restoring the EFLAGSregister 128 E bit 402 to a set value that was saved at block 1924. Flowproceeds to block 1938.

At block 1938, as control is transferred back to the encrypted program,the microprocessor 100 updates the control register 144 E bit 148 withthe value from the EFLAGS register 128 E bit 402, i.e., with a setvalue, such that the fetch unit 104 re-commences fetching and decryptingthe encrypted program instruction data 106. Flow proceeds to block 1942.

At block 1942, the microcode causes the microprocessor 100 to branch tothe instruction pointer value that was saved onto the stack at block1924, which causes all x86 instructions in the microprocessor 100 to beflushed and which causes all micro-ops in the microprocessor 100 to beflushed. This includes all instruction bytes 106 fetched from theinstruction cache 102 that may be waiting in buffers of the fetch unit104 to be decrypted and the decode unit 108 to be decoded. Flow proceedsto block 1944.

At block 1944, the fetch unit 104 resumes fetching the instructions 106of the encrypted program and decrypting and executing them in decryptionmode as described above with respect to FIGS. 1 through 3. Flow ends atblock 1944.

Referring now to FIG. 20, a flowchart illustrating operation of systemsoftware running on the microprocessor 100 of FIG. 1 according to thepresent invention is shown. FIG. 20 accompanies the embodiment of FIG.19. Flow begins at block 2002.

At block 2002, a request is made to the system software to run a newencrypted program. Flow proceeds to decision block 2004.

At decision block 2004, the system software determines whether anencrypted program is already one of the running programs in the system.In one embodiment, the system software maintains a flag to indicatewhether an encrypted program is already one of the running programs inthe system. If an encrypted program is already one of the runningprograms in the system, flow proceeds to block 2006; otherwise, flowproceeds to block 2008.

At block 2006, the system software waits until the encrypted programcompletes and is no longer one of the running programs in the system.Flow proceeds to block 2008.

At block 2008, the microprocessor 100 allows the new encrypted programto run. Flow ends at block 2008.

Referring now to FIG. 21, a block diagram illustrating the fields of theEFLAGS register 128 of FIG. 1 according to an alternate embodiment ofthe present invention is shown. The EFLAGS register 128 of FIG. 21 issimilar to the embodiment of FIG. 4; however, the embodiment of FIG. 21also includes index bits 2104. According to one embodiment, the indexbits 2104, like the E bit 402, comprise bits that are conventionallyRESERVED by the x86 architecture. The index field 2104 accommodatesswitching between multiple encrypted programs, as described below.Preferably, the switch key instruction 600 and branch and switch keyinstructions 900/1200 update the EFLAGS register 128 index field 2104with the value specified in the respective key register file index field604/904/1304.

Referring now to FIG. 22, a flowchart illustrating operation of themicroprocessor 100 of FIG. 1 having an EFLAGS register 128 according toFIG. 21 to accommodate task switching between multiple encryptedprograms according to the present invention is shown. Flow begins atblock 2202.

At block 2202, a request is made to the system software to run a newencrypted program. Flow proceeds to decision block 2204.

At decision block 2204, the system software determines whether there isspace available in the key register file 124 to accommodate a newencrypted program. In one embodiment, the request made at block 2202specifies the amount of space needed in the key register file 124. Ifthere is space available in the key register file 124 to accommodate thenew encrypted program, flow proceeds to block 2208; otherwise, flowproceeds to block 2206.

At block 2206, the system software waits until there is space availablein the key register file 124 to accommodate the new encrypted program bywaiting until one or more encrypted programs complete. Flow proceeds toblock 2208.

At block 2208, the system software allocates the space in the keyregister file 124 to the new encrypted program and populates the indexfield 2104 in the EFLAGS register 128 accordingly to indicate thelocation of the newly allocated space in the key register file 124. Flowproceeds to block 2212.

At block 2212, the system software loads the key register file 124locations allocated at block 2208 with the key values for the newprogram. As discussed above, this may be from the secure memory area 122using the load key instruction 400 or, if necessary, from a locationoutside the microprocessor 100 in a secure manner. Flow proceeds toblock 2214.

At block 2214, the system software loads the master key registers 142from the key register file 124 based on the key register file indexfield 604/904/1304. In one embodiment, the system software executes aswitch key instruction 600 to load the master key registers 142. Flowproceeds to block 2216.

At block 2216, as control is transferred to the encrypted program, themicroprocessor 100 sets the EFLAGS register 128 E bit 402 to indicatethat the currently executing program is encrypted, and sets the controlregister 144 E bit 148 to place the fetch unit 104 in decryption mode.Flow ends at block 2216.

Referring now to FIG. 23, a flowchart illustrating operation of themicroprocessor 100 of FIG. 1 having an EFLAGS register 128 according toFIG. 21 to accommodate task switching between multiple encryptedprograms according to the present invention is shown. Flow begins atblock 2302.

At block 2302, a currently running program executes a return frominterrupt instruction to cause a task switch to occur to a new programthat was previously executing but was swapped out and whosearchitectural state (e.g., EFLAGS register 128, instruction pointerregister, and general purpose registers) was saved onto a stack inmemory. As mentioned above, in one embodiment, the return from interruptinstruction is implemented in microcode. The currently running programand the new program may be an encrypted program or a plain text program.Flow proceeds to block 2304.

At block 2304, the microprocessor 100 restores from the stack in memorythe EFLAGS register 128 for the new program. That is, the microprocessor100 loads the EFLAGS register 128 with the EFLAGS register 128 valuethat was previously saved onto the stack when the new program (i.e., theprogram now being swapped back in) was swapped out. Flow proceeds todecision block 2306.

At decision block 2306, the microprocessor 100 determines whether the Ebit 402 in the restored EFLAGS register 128 is set. If so, flow proceedsto block 2308; otherwise, flow proceeds to block 2312.

At block 2308, the microprocessor 100 loads the master key registers 142from the key register file 124 based on the EFLAGS register 128 indexfield 2104 value that was restored at block 2304. Flow proceeds to block2312.

At block 2312, the microprocessor 100 updates the control register 144 Ebit 148 with the EFLAGS register 128 E bit 402 value that was restoredat block 2304. Thus, if the new program is an encrypted program, thefetch unit 104 will be placed in decryption mode and otherwise it willbe placed in plain text mode. Flow proceeds to block 2314.

At block 2314, the microprocessor 100 restores the instruction pointerregister with the value from the stack in memory and causes a branch tothe instruction pointer value, which causes all x86 instructions in themicroprocessor 100 to be flushed and which causes all micro-ops in themicroprocessor 100 to be flushed. This includes all instruction bytes106 fetched from the instruction cache 102 that may be waiting inbuffers of the fetch unit 104 to be decrypted and the decode unit 108 tobe decoded. Flow proceeds to block 2316.

At block 2316, the fetch unit 104 resumes fetching the instructions 106of the new program as described above with respect to FIGS. 1 through 3,either in decryption mode or plain text mode according to the value ofthe control register 144 E bit 148 restored at block 2312. Flow ends atblock 2316.

Referring now to FIG. 24, a block diagram illustrating a single registerof the key register file 124 of FIG. 1 according to an alternateembodiment of the present invention is shown. According to theembodiment of FIG. 24, each key register file 124 further includes abit, referred to as the kill (K) bit 2402. The K bit 2402 accommodatesmultitasking by the microprocessor 100 between multiple encryptedprograms that collectively require more space than the size of the keyregister file 124 space, as described in more detail below.

Referring now to FIG. 25, a flowchart illustrating operation of themicroprocessor 100 of FIG. 1 having an EFLAGS register 128 according toFIG. 21 and a key register file 124 according to FIG. 24 to accommodatetask switching between multiple encrypted programs according to analternate embodiment of the present invention is shown. The flowchart ofFIG. 25 is similar to the flowchart of FIG. 22; however, if it isdetermined at decision block 2204 that there is no space available inthe key register file 124, flow proceeds to block 2506 rather than toblock 2206 which does not exist in FIG. 25; otherwise, flow proceeds toblocks 2208 through 2216 of FIG. 22.

At block 2506, the system software allocates space (i.e., registers)within the key register file 124 that is already in use by (i.e., hasalready been allocated to) another encrypted program and sets the K bit2402 of the allocated registers and populates the index field 2104 inthe EFLAGS register 128 accordingly to indicate the location of thenewly allocated space in the key register file 124. The K bit 2402 isset because the key values of the other encrypted program in theallocated registers will be clobbered at block 2212 with the new valuesof the new encrypted program. However, advantageously as described belowwith respect to FIG. 26, the key values of the other encrypted programwill be re-loaded at block 2609 when the other encrypted program isswapped back in. Flow proceeds from block 2506 to blocks 2212 through2216 of FIG. 22.

Referring now to FIG. 26, a flowchart illustrating operation of themicroprocessor 100 of FIG. 1 having an EFLAGS register 128 according toFIG. 21 and a key register file 124 according to FIG. 24 to accommodatetask switching between multiple encrypted programs according to analternate embodiment of the present invention is shown. The flowchart ofFIG. 26 is similar to the flowchart of FIG. 23; however, if it isdetermined at decision block 2306 that the EFLAGS register 128 E bit 402is set, flow proceeds to decision block 2607 rather than to block 2308.

At decision block 2607, the microprocessor 100 determines whether the Kbit 2402 of any of the key register file 124 registers specified by theEFLAGS register 128 index field 2104 value (which was restored at block2304) are set. If so, flow proceeds to block 2609; otherwise, flowproceeds to block 2308.

At block 2609, the microprocessor 100 generates an exception to anexception handler. In one embodiment, the exception handler is includedin the system software. In one embodiment, the exception handler isprovided by the secure execution mode (SEM) architecture. The exceptionhandler re-loads the keys of the restored encrypted program (i.e., theencrypted program that is now being swapped back in) into the keyregister file 124 based on the EFLAGS register 128 index field 2104value that was restored at block 2304. The exception handler mayfunction similar to the manner described above with respect to block1908 of FIG. 19 to load the keys of the restored encrypted program intothe key register file 124 and, if necessary, into the secure memory area122 from outside the microprocessor 100. Additionally, if the keyregister file 124 registers that are being re-loaded are still in use byanother encrypted program, the system software sets the K bit 2402 ofthe re-loaded registers. Flow proceeds from block 2609 to block 2308,and blocks 2308 through 2316 are similar to those of FIG. 23.

As may be observed from FIGS. 24 through 26, the embodiment describedtherein advantageously enables the microprocessor 100 to multitaskbetween multiple encrypted programs that collectively require more spacethan the size of the key register file 124 space.

Referring now to FIG. 27, a block diagram illustrating portions of themicroprocessor 100 of FIG. 1 according to an alternate embodiment of thepresent invention is shown. Like numbered elements to FIG. 1 aresimilar, specifically the instruction cache 102, fetch unit 104, and keyregister file 124. However, the fetch unit 104 is modified to includekey switch logic 2712 that is coupled to the master key register file142 and to the key register file 124 of FIG. 1. The microprocessor 100of FIG. 27 also includes a branch target address cache (BTAC) 2702. TheBTAC 2702 receives the fetch address 134 of FIG. 1 and is accessed inparallel with the access of the instruction cache 102 by the fetchaddress 134. In response to the fetch address 134, the BTAC 2702provides a branch target address 2706 to the fetch address generator 164of FIG. 1; provides a taken/not taken (T/NT) indicator 2708 and a typeindicator 2714 to the key switch logic 2712; and provides a key registerfile (KRF) index 2712 to the key register file 124.

Referring now to FIG. 28, a block diagram illustrating in more detailthe BTAC 2702 of FIG. 27 according to the present invention is shown.The BTAC 2702 includes a BTAC array 2802 comprising a plurality of BTACentries 2808, whose contents are described with respect to FIG. 29. TheBTAC 2802 caches information concerning the history of previouslyexecuted branch instructions in order to make predictions about thedirection and target address of the branch instructions on subsequentexecutions thereof. More specifically, the BTAC 2802 makes predictionson subsequent fetches of the previously executed branch instructionsbased on the fetch address 134 using the cached history information. Theoperation of branch target address caches is well-known in the art ofbranch prediction. However, advantageously, the BTAC 2802 according tothe present invention is modified to cache information concerning thehistory of previously executed branch and switch key instructions900/1200 in order to make predictions about them. More specifically, thecached history information enables the BTAC 2802 to predict at fetchtime the set of values that a fetched branch and switch key instruction900/1200 will load in the master key register 142. This advantageouslyenables the switch key logic 2712 to load the values before the branchand switch key instruction 900/1200 is actually executed, which avoidshaving to flush the microprocessor 100 pipeline upon execution of thebranch and switch key instruction 900/1200, as described in more detailbelow. Furthermore, according to one embodiment, the BTAC 2802 is alsomodified to cache information concerning the history of previouslyexecuted switch key instructions 600 to a similar advantage.

Referring now to FIG. 29, a block diagram illustrating in more detailthe contents of a BTAC entry 2808 of FIG. 28 according to the presentinvention is shown. Each entry 2808 includes a valid bit 2902 forindicating whether the entry 2808 is valid. Each entry 2808 alsoincludes a tag field 2904 for comparing with a portion of the fetchaddress 134. If the index portion of the fetch address 134 selects anentry 2808 whose tag portion of the fetch address 134 matches the tag2904 that is valid, then the fetch address 134 hits in the BTAC 2802.Each entry 2808 also includes a target address field 2906 used forcaching target addresses of previously executed branch instructions,including branch and switch key instructions 900/1200. Each entry 2808also includes a taken/not taken (T/NT) field 2908 used for cachingdirection history of previously executed branch instructions, includingbranch and switch key instructions 900/1200. Each entry 2808 includes akey register file index field 2912 used for caching the key registerfile index 904/1304 history of previously executed branch and switch keyinstructions 900/1200, as described in more detail below. According toone embodiment, the BTAC 2802 also caches in the key register file index2912 field the key register file index 604 history of previouslyexecuted switch key instructions 600. Each entry 2808 also includes atype field 2914 that indicates the type of instruction that waspreviously executed and for which its history information is cached inthe entry 2808. For example, the type field 2914 may indicate whetherthe instruction is a call, return, conditional jump, unconditional jump,branch and switch key instruction 900/1200, or switch key instruction600.

Referring now to FIG. 30, a flowchart illustrating operation of themicroprocessor 100 of FIG. 27 including the BTAC 2802 of FIG. 28according to the present invention is shown. Flow begins at block 3002.

At block 3002, the microprocessor 100 executes a branch and switch keyinstruction 900/1200, as described in more detail with respect to FIG.32. Flow proceeds to block 3004.

At block 3004, the microprocessor 100 allocates an entry 2808 in theBTAC 2802 and populates the target address 2906, T/NT 2908, KRF index2912, and type 2914 fields with the resolved direction, target address,key register file index 904/1304, and instruction type, respectively, ofthe executed branch and switch key instruction 900/1200 in order tocache the history of the executed branch and switch key instruction900/1200. Flow ends at block 3004.

Referring now to FIG. 31, a flowchart illustrating operation of themicroprocessor 100 of FIG. 27 including the BTAC 2802 of FIG. 28according to the present invention is shown. Flow begins at block 3102.

At block 3102, the fetch address 134 is applied to the instruction cache102 and to the BTAC 2802. Flow proceeds to block 3104.

At block 3104, the fetch address 134 hits in the BTAC 2802 and the BTAC2802 outputs the values of the target address 2906, T/NT 2908, keyregister file index 2912, and type 2914 fields of the hitting entry 2808on the target address 2706, T/NT 2708, KRF index 2712, and type 2714outputs, respectively. In particular, the type field 2914 indicates abranch and switch key instruction 900/1200. Flow proceeds to decisionblock 3106.

At decision block 3106, the key switch logic 2712 determines whether thebranch and switch key instruction 900/1200 is predicted taken by theBTAC 2802 by examining the T/NT output 2708. If the T/NT output 2708indicates the branch and switch key instruction 900/1200 is taken, flowproceeds to block 3112; otherwise, flow proceeds to block 3108.

At block 3108, the microprocessor 100 pipes down along with the branchand switch key instruction 900/1200 an indication that a not takenprediction was made by the BTAC 2802. (Additionally, if the T/NT output2708 indicates the branch and switch key instruction 900/1200 is taken,at block 3112 the microprocessor 100 pipes down along with the branchand switch key instruction 900/1200 an indication that a takenprediction was made by the BTAC 2802.) Flow ends at block 3108.

At block 3112, the fetch address generator 164 updates the fetch address134 based on the predicted target address 2706 made by the BTAC 2802 atblock 3104. Flow proceeds to block 3114.

At block 3114, the key switch logic 2712 updates the master keyregisters 142 with the values from the key register file 124 at thepredicted key register file index 2712 made by the BTAC 2802 at block3104. In one embodiment, the key switch logic 2712 stalls the fetch unit104 from fetching blocks of instruction data 106, if necessary, untilthe master key registers 142 are updated. Flow proceeds to block 3116.

At block 3116, the fetch unit 104 continues fetching and decryptinginstruction data 106 using the new master key register 142 values loadedat block 3114. Flow ends at block 3116.

Referring now to FIG. 32, a flowchart illustrating operation of themicroprocessor 100 of FIG. 27 to perform a branch and switch keyinstruction 900/1200 according to the present invention is shown. Theflowchart of FIG. 32 is similar in some ways to the flowchart of FIG. 10and like-numbered blocks are similar. Although FIG. 32 is described withrespect to FIG. 10, the method may also be used with respect to theoperation of the branch and switch key instruction 1200 of FIG. 14. Flowbegins at block 1002.

At block 1002, the decode unit 108 decodes a branch and switch keyinstruction 900/1200 and traps to the microcode routine in the microcodeunit 132 that implements the branch and switch key instruction 900/1200.Flow proceeds to block 1004.

At block 1006, the microcode resolves the branch direction (i.e., takenor not taken) and target address. Flow proceeds to decision block 3208.

At decision block 3208, the microcode determines whether the BTAC 2802made a prediction for the branch and switch key instruction 900/1200. Ifso, flow proceeds to decision block 3214; otherwise, flow proceeds toblock 1008 of FIG. 10.

At decision block 3214, the microcode determines whether the BTAC 2802prediction was correct by comparing the piped down BTAC 2802 T/NT 2708and target address 2706 predictions with the direction and targetaddress resolved at block 1006. If the BTAC 2802 prediction was correct,flow ends; otherwise, flow proceeds to decision block 3216.

At decision block 3216, the microcode determines whether the incorrectBTAC 2802 prediction was taken or not taken. If taken, flow proceeds toblock 3222; otherwise, flow proceeds to block 1014 of FIG. 10.

At block 3222, the microcode restores the master key registers 142 sincethey were loaded with incorrect values at block 3114 of FIG. 31 due toan incorrect prediction of a taken branch and switch key instruction900/1200 by the BTAC 2802. In one embodiment, the key switch logic 2712includes storage and logic for restoring the master key registers 142.In one embodiment, the microcode generates an exception to an exceptionhandler to restore the master key registers 142. Additionally, themicrocode causes the microprocessor 100 to branch to the next sequentialx86 instruction after the branch and switch key instruction 900/1200,which causes all x86 instructions in the microprocessor 100 to beflushed that are newer than the branch and switch key instruction900/1200 and which causes all micro-ops in the microprocessor 100 to beflushed that are newer than the micro-op that branches to the targetaddress. This includes all instruction bytes 106 fetched from theinstruction cache 102 that may be waiting in buffers of the fetch unit104 to be decrypted and the decode unit 108 to be decoded. As a resultof the branch to the next sequential instruction, the fetch unit 104begins fetching and decrypting instruction data 106 from the instructioncache 102 using the restored set of key values loaded into the masterkey registers 142. Flow ends at block 3222.

In addition to the security advantages provided by the instructiondecryption embodiments described above that are incorporated in themicroprocessor 100, the present inventors have also developedrecommended coding guidelines that can be used in conjunction with theembodiments described to weaken statistical attacks on encrypted x86code based on analysis of actual x86 instruction usage.

First, because an attacker will likely assume all 16 bytes of fetchedinstruction data 106 are x86 instructions, the code should have “holes”in the 16-byte blocks relative to program execution flow. That is, thecode should include instructions to jump around some of the instructionbytes to create holes of unexecuted bytes that can be filled withappropriate value to increase the entropy of the plaintext bytes.Additionally, the code can use immediate data values wherever possibleif doing so increases the entropy of the plaintext. Additionally, theimmediate data values may be chosen to give false clues as to thelocations of instruction opcodes.

Second, the code may include special NOP instructions that contain“don't care” fields with appropriate values to increase entropy. Forexample, the x86 instruction 0x0F0D05xxxxxxxx is a seven-byte NOP wherethe last four bytes can be any value. There are other forms withdifferent opcodes and differing numbers of don't care bytes.

Third, many x86 instructions have the same basic function as other x86instructions. Where there are equivalent-function instructions, the codemay employ multiple forms instead of reusing the same instruction and/oruse the form that increases the plaintext entropy. For example, theinstructions 0xC10107 and 0xC10025 do the same thing. Finally, someequivalent-function instructions have different length versions, such as0xEB22 and 0xE90022; thus, the code may employ multiple differing-lengthequivalent-function instructions.

Fourth, the x86 architecture allows the use of redundant or meaninglessopcode prefixes that the code may carefully employ to further increasethe entropy. For example, the instructions 0x40 and 0x2627646567F2F340mean exactly the same thing. Because there are only eight “safe” x86prefixes, they must be sprinkled into the code carefully to avoid makingtheir frequency too high.

Although embodiments have been described in which the key expanderperforms a rotate and add/subtract function on a pair of master keyregister values, other embodiments are contemplated in which the keyexpander performs a function on more than two master key registervalues; additionally, the function may be different than the rotate andadd/subtract function. Furthermore, embodiments of the switch keyinstruction 600 of FIG. 6 and the branch and switch key instruction 900of FIG. 9 are contemplated in which the new key values are loaded intothe master key register file 142 from the secure memory area 122 ratherthan from key register file 124; and embodiments of the branch andswitch key instruction 1500 of FIG. 15 are contemplated in which theindex field 2104 is used to store an address in the secure memory area122. Finally, although embodiments have been described in which the BTAC2702 is modified to cache a KRF index for use with the branch and switchkey instructions 900/1200, embodiments are contemplated in which theBTAC 2702 is modified to cache an SMA address for use with the branchand switch key instructions 1500.

It will be understood that the master keys 172, including each first andsecond keys 234 and 236 that make up any given key pair, canalternatively be referred to as decryption key primitives, because thedecryption key 174 is derived from the first and second keys 234 and236. The word “primitive” is used herein as an antonym for “derivative.”

While various embodiments of the present invention have been describedherein, it should be understood that they have been presented by way ofexample, and not limitation. It will be apparent to persons skilled inthe relevant computer arts that various changes in form and detail canbe made therein without departing from the scope of the invention. Forexample, software can enable, for example, the function, fabrication,modeling, simulation, description and/or testing of the apparatus andmethods described herein. This can be accomplished through the use ofgeneral programming languages (e.g., C, C++), hardware descriptionlanguages (HDL) including Verilog HDL, VHDL, and so on, or otheravailable programs. Such software can be disposed in any known computerusable medium such as magnetic tape, semiconductor, magnetic disk, oroptical disc (e.g., CD-ROM, DVD-ROM, etc.), a network, wire line,wireless or other communications medium. Embodiments of the apparatusand method described herein may be included in a semiconductorintellectual property core, such as a microprocessor core (e.g.,embodied in HDL) and transformed to hardware in the production ofintegrated circuits. Additionally, the apparatus and methods describedherein may be embodied as a combination of hardware and software. Thus,the present invention should not be limited by any of the exemplaryembodiments described herein, but should be defined only in accordancewith the following claims and their equivalents. Specifically, thepresent invention may be implemented within a microprocessor devicewhich may be used in a general purpose computer. Finally, those skilledin the art should appreciate that they can readily use the disclosedconception and specific embodiments as a basis for designing ormodifying other structures for carrying out the same purposes of thepresent invention without departing from the scope of the invention asdefined by the appended claims.

We claim:
 1. A microprocessor comprising: an instruction-processingpipeline including a fetch unit and an execution unit; a processor bus;a cache memory hierarchy; and a secure memory, inaccessible via theprocessor bus and not part of the cache memory hierarchy, configured tostore cryptographic keys; wherein the microprocessor is configured torestrict access to the secure memory by preventing a non-privilegedprogram from reading or writing cryptographic key values to or from thesecure memory; wherein the microprocessor is further configured to:receive a request to switch from a normal execution mode in whichencrypted instructions are unable to be executed, into a secureexecution mode (SEM), in which they are able to be executed;conditionally grant the request to switch into the SEM on the basis ofwhether the request is in the form of an instruction carrying anencrypted parameter, the instruction is part of a privileged program orprocess, and the encrypted parameter, when decrypted, meets apredetermined criterion for running an encrypted program; execute aninstruction to write a set of one or more cryptographic key values intoa secure memory of the microprocessor; fetch encrypted instructions ofthe encrypted program from an instruction cache into the fetch unit; andwithin the fetch unit, decrypt the encrypted instructions of theencrypted program into plaintext instructions using decryption logicwithin the instruction-processing pipeline, the decryption logic usingcryptographic key values stored in the secure memory, or one or morederivatives thereof, to decrypt the encrypted program; and execute theplaintext instructions as other encrypted instructions of the encryptedprogram are fetched, without storing the plaintext instructions prior totheir execution and without exposing the plaintext instructions to anynon-privileged program or to any resources external to themicroprocessor.
 2. The microprocessor of claim 1, wherein themicroprocessor is configured to decrypt successive sections of theencrypted program using sets of one or more cryptographic key values, orderivatives thereof, that are selected from the secure memory accordingto addresses at which the successive sections of the encrypted programare stored.
 3. The microprocessor of claim 1, wherein the encryptedparameter and encrypted program are encrypted using distinctcryptographic mechanisms.
 4. The microprocessor of claim 3 whereinsuccessive sections of the encrypted program are encrypted according toaddresses at which the successive sections of the encrypted program arestored.
 5. The microprocessor of claim 1, wherein the microprocessor isconfigured to execute an instruction to write cryptographic key valuesto the secure memory using an immediate data field of the instruction.6. The microprocessor of claim 1, wherein the secure memory isconfigured to receive cryptographic key values through an encryptedchannel.
 7. The microprocessor of claim 1, wherein the microprocessorcomprises SEM exception handling logic and SEM interrupt handling logicthat are inaccessible to programs running in normal execution mode, andthe microprocessor is configured to use the SEM exception handling logicand SEM interrupt handling logic when operating in the SEM.
 8. Themicroprocessor of claim 1, wherein the microprocessor is configured toprevent decryption of encrypted instructions unless the microprocessoris in the SEM.
 9. The microprocessor of claim 1, wherein themicroprocessor is configured to prevent decryption of encryptedinstructions unless the microprocessor is operating in the systemmanagement mode of the x86 architecture.
 10. A method of securelyexecuting encrypted instructions within a microprocessor, the methodcomprising: receiving a request to switch from a normal execution modein which encrypted instructions are unable to be executed, into a secureexecution mode (SEM), in which they are able to be executed;conditionally granting the request to switch into the SEM on the basisof whether the request is in the form of an instruction carrying anencrypted parameter, the instruction is part of a privileged program orprocess, and the encrypted parameter, when decrypted, meets apredetermined criterion for running an encrypted program; executing aninstruction to write a set of cryptographic key values into a securememory of the microprocessor, wherein the secure memory is inaccessiblefrom a processor bus of the microprocessor and is not part of a cachememory hierarchy, and wherein the non-privileged program is unable toread or write cryptographic key values from or to the secure memory;fetching encrypted instructions of the encrypted program from aninstruction cache into a fetch unit of an instruction processingpipeline; and decrypting the encrypted instructions of the encryptedprogram into plaintext instructions using decryption logic within theinstruction-processing pipeline, and using one or more sets of one ormore cryptographic key values stored in the secure memory, or one ormore derivatives thereof, to decrypt the encrypted program; andexecuting the plaintext instructions as other encrypted instructions ofthe encrypted program are fetched, without storing the plaintextinstructions prior to their execution and without exposing the plaintextinstructions to any non-privileged program or to any resources externalto the microprocessor.
 11. The method of claim 10, further comprising:selecting successive sets of one or more cryptographic key values withwhich to decrypt the encrypted program according to addresses at whichsuccessive sections of the encrypted program are stored; and decryptingsuccessive sections of the encrypted program using the selected sets.12. The method of claim 10, further comprising encrypting the encryptedparameter and the encrypted program using distinct cryptographicmechanisms.
 13. The method of claim 12, further comprising encryptingsuccessive sections of the encrypted program according to addresses atwhich the successive sections of the encrypted program are stored. 14.The method of claim 10, wherein the instruction to write cryptographickey values to the secure memory stores the cryptographic key values inan immediate data field of the instruction.
 15. The method of claim 10,further comprising receiving cryptographic key values through anencrypted channel.
 16. The method of claim 10, further comprising usingSEM exception handling logic and SEM interrupt handling logic that areinaccessible to programs running in normal execution mode to handleinterrupts and exceptions while operating in the SEM.
 17. The method ofclaim 10, further comprising preventing decryption of encryptedinstructions unless the microprocessor is in the SEM.
 18. The method ofclaim 10, further comprising preventing decryption of encryptedinstructions unless the microprocessor is operating in the systemmanagement mode of the x86 architecture.
 19. A computer program productencoded in at least one non-transitory computer usable medium for usewith a computing device, the computer program product comprising:computer usable program code embodied in said medium, for specifying amicroprocessor, the computer usable program code comprising: firstprogram code for specifying an instruction-processing pipeline includinga fetch unit and an execution unit; second program code for specifying aprocessor bus; third program code for specifying a cache memoryhierarchy; fourth program code for specifying a secure memory,inaccessible via the processor bus and not part of the cache memoryhierarchy, configured to store cryptographic keys; fifth program codefor specifying a configuration of the microprocessor to restrict accessto the secure memory by preventing a non-privileged program from readingor writing cryptographic key values to or from the secure memory; sixthprogram code for specifying a configuration of the microprocessor toreceive a request to switch from a normal execution mode in whichencrypted instructions are unable to be executed, into a secureexecution mode (SEM), in which they are able to be executed; seventhprogram code for specifying a configuration of the microprocessor toconditionally grant the request to switch into the SEM on the basis ofwhether the request is in the form of an instruction carrying anencrypted parameter, the instruction is part of a privileged program orprocess, and the encrypted parameter, when decrypted, meets apredetermined criterion for running an encrypted program; eighth programcode for specifying one or more execution units to execute aninstruction to write a set of one or more cryptographic key values intoa secure memory of the microprocessor; ninth program code for specifyinga configuration of the fetch unit to fetch encrypted instructions of theencrypted program from an instruction cache into the fetch unit; andtenth program code for specifying decryption logic with in the fetchunit to decrypt the encrypted instructions of the encrypted program intoplaintext instructions, the decryption logic using one or more sets ofone or more cryptographic key values stored in the secure memory, or oneor more derivatives thereof, to decrypt the encrypted program; andeleventh program code for specifying a configuration of themicroprocessor to execute the plaintext instructions as other encryptedinstructions of the encrypted program are fetched, without storing theplaintext instructions prior to their execution and without exposing theplaintext instructions to any non-privileged program or to any resourcesexternal to the microprocessor.